After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 749050 - --reneg-sec breaks non-TLS modes
--reneg-sec breaks non-TLS modes
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: VPN: openvpn
1.0.x
Other Linux
: Normal normal
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2015-05-07 02:01 UTC by Jan Alexander Steffens (heftig)
Modified: 2015-05-28 09:05 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
service: only set reneg-sec option in TLS mode (1.08 KB, patch)
2015-05-27 08:49 UTC, Thomas Haller 		needs-work Details | Review

Description Jan Alexander Steffens (heftig) 2015-05-07 02:01:34 UTC 
Since 1.0.2, --reneg-sec is always added, but OpenVPN will not accept this argument when neither --tls-server nor --tls-client is set.
Comment 1 David Rosenstrauch 2015-05-07 02:09:16 UTC 
FYI - here's the log messages I'm seeing that demonstrate this issue:

May 06 21:56:08 daroseneo NetworkManager[484]: <info>  Starting VPN service 'openvpn'...
May 06 21:56:08 daroseneo NetworkManager[484]: <info>  VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 2079
May 06 21:56:08 daroseneo NetworkManager[484]: <info>  VPN service 'openvpn' appeared; activating connections
May 06 21:56:08 daroseneo NetworkManager[484]: <info>  VPN plugin state changed: starting (3)
May 06 21:56:08 daroseneo nm-openvpn[2084]: Options error: Parameter renegotiate_seconds can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
May 06 21:56:08 daroseneo nm-openvpn[2084]: Use --help for more information.
May 06 21:56:08 daroseneo NetworkManager[484]: nm-openvpn-Message: openvpn started with pid 2084
May 06 21:56:08 daroseneo NetworkManager[484]: (nm-openvpn-service:2079): nm-openvpn-WARNING **: openvpn exited with error code 1
May 06 21:56:08 daroseneo NetworkManager[484]: <info>  VPN connection 'darsys' (ConnectInteractive) reply received.
May 06 21:56:08 daroseneo NetworkManager[484]: <warn>  VPN plugin failed: connect-failed (1)
May 06 21:56:08 daroseneo NetworkManager[484]: <info>  VPN plugin state changed: stopped (6)
May 06 21:56:08 daroseneo NetworkManager[484]: <info>  VPN plugin state change reason: unknown (0)
May 06 21:56:08 daroseneo NetworkManager[484]: <warn>  error disconnecting VPN: Could not process the request because no VPN connection was active.
Comment 2 Thomas Haller 2015-05-27 08:49:29 UTC 
Created attachment 304055 [details] [review]
service: only set reneg-sec option in TLS mode

https://bugzilla.gnome.org/show_bug.cgi?id=749050
https://bugzilla.redhat.com/show_bug.cgi?id=1225218
Comment 3 Beniamino Galvani 2015-05-27 15:17:44 UTC 
Patch LGTM.
Comment 4 Dan Williams 2015-05-27 22:26:44 UTC 
Review of attachment 304055 [details] [review]:

::: src/nm-openvpn-service.c
@@ +1105,3 @@
 	/* Reneg seconds */
 	tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_RENEG_SECONDS);
+	if (strcmp (connection_type, NM_OPENVPN_CONTYPE_TLS) != 0) {

You need to include CONTYPE_PASSWORD_TLS too.  Otherwise LGTM
Comment 5 Jiri Klimes 2015-05-28 07:04:20 UTC 
I think --reneg-sec should be used for NM_OPENVPN_CONTYPE_TLS, NM_OPENVPN_CONTYPE_PASSWORD, NM_OPENVPN_CONTYPE_PASSWORD_TLS, bacause all three uses '--client'.
We should just leave '--reneg-sec' out for the Static-Key mode.
Comment 6 Thomas Haller 2015-05-28 09:01:41 UTC 
Fixed also for other connection-types.

Applied as https://git.gnome.org/browse/network-manager-openvpn/commit/?id=7f9031dbaee3059ea072fb2497563aee6acf8da0